FFIEC Mandates “System Of Layered Security” to Combat Fraud

For any cave-dwelling, living-under-a-rock, head-in-the-sand, naïve, under-informed members of society who aren’t paying attention, we have serious cyber-security issues on our hands.

Black hat hackers, who break into networks to steal for financial gain, are wreaking havoc on banks, retailers, online gaming websites, and social media. Black hats cost these companies and their clients billions of dollars every year. They are using stolen usernames and passwords to transfer money through wire transfers, Automated Clearing House (ACH) and through billing fraud.

The Federal Financial Institutions Examination Council (FFIEC) has repeatedly implored that come January 2012, any lagging financial institutions will be required to significantly upgrade their security protocol. Since any existing form of authentication can be compromised, the FFIEC recommends that financial institutions should institute systems of “layered security.”

Previous FFIEC recommendations discussed authentication, suggesting that the security issue takes place when a user logs in. But in fact, not all the danger occurs at login. Other website integration points are vulnerable to security issues, particularly at the point when money is transferred.

According to the FFIEC’s recent update:

“Fraudsters use keyloggers to steal the logon ID, password, and challenge question answers of financial institution customers. This information alone or in conjunction with stolen browser cookies loaded on the fraudster’s PC may enable the fraudster to log into the customer’s account and transfer funds to accounts controlled by the fraudster, usually through wire or ACH transactions.”

One of the FFIEC’s recommendations for financial institutions involves complex device identification. iovation, an Oregon-based security firm, goes a step further offering Device Reputation, which builds on complex device identification with real-time risk assessments, the history of fraud on groups of devices, and their relationships with other devices and accounts which exposes fraudsters working together to steal from online businesses.

Smart financial institutions aren’t just complying with the FFIEC’s security recommendations, but are going beyond by incorporating device reputation into their layered security approach.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses another databreach on Good Morning America. (Disclosures)

Mobile Banking More Secure Than Computer E-Commerce?

Mobile banking is on the rise for more reasons than convenience sake. In truth, it’s more secure than traditional online baking.  Accessing your banks mobile website or using your banks mobile application is inherently more secure than using a computer.


Computers are big targets for thieves. PC’s mostly run on Microsoft’s most hacked operating system, they typically contain a great deal of data, and they are vulnerable to viruses created by criminal hackers. Over the past decade criminals have learned the ins and outs of exploiting online banking using PC’s. In the past 15 years or so, the desktop computer has been hacked in every possible way, making the computer and the data it contains and transmits extremely vulnerable to fraud.

Mobile banking on the other hand is relatively new – the operating systems vary, viruses and other malware aren’t as prevalent and the technologies in handsets themselves vary greatly among manufacturers.

Computers are still the “low hanging fruit” while mobile phones aren’t as attractive due to computers being so vulnerable.

The mobile carriers’ networks are more difficult to hack than your home or local coffee shop’s wireless network. Mobile carrier services like 3G have a much higher level of encryption and aren’t open like broadband internet. Meaning you can’t just jump on someone’s 3G connection in most cases.

With mobile banking there is the added benefit of additional layers of authentication, in which the account holder authorizes various transactions via text message or call backs with an additional code, making mobile banking even more secure.

As mobile banking becomes more popular, investigate it and try for yourself. You will love the convenience and appreciate the security.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Why Complex Device Identification Isn’t Enough

“Simple device identification” relies on cookies or IP addresses to confirm that a customer is logging in from the same PC that was used to create the account.

The Financial Federal Institutions Examination Council has explained the fallibility of this system:

“Experience has shown this type of cookie may be copied and moved to a fraudster’s PC, allowing the fraudster to impersonate the legitimate customer. Device identification has also been implemented using geo-location or Internet protocol address matching. However, increasing evidence has shown that fraudsters often use proxies, which allow them to hide their actual location and pretend to be the legitimate user.

“Complex device identification” is more sophisticated. This security technique relies on disposable, one-time cookies, and creates a complex digital fingerprint based on characteristics including PC configuration, Internet protocol addresses, and geolocation. According to the FFIEC, complex device identification is more secure, and institutions should no longer consider simple device identification adequate.

While complex device ID is more sophisticated, the next level of security is Device Reputation. This strategy incorporates geolocation, velocity, anomalies, proxy busting, webs of associations, fraud histories, commercially applied evidence of fraud or abuse, and more.

According to Max Anhoury, Vice President of Global Sales for iovation, “Financial institutions looking to stop fraud while reducing friction for good customers must tie together multiple layers of fraud and risk management for a holistic layered approach. Just this week, iovation presented to hundreds of financial services Info Security professionals and business managers regarding the recent FFIEC guidance (along with Experian Decision Analytics) about finding the optimal process points to strike the right balance between fraud prevention, customer experience and cost.” You can listen to the FFIEC-related webinar presentation at: www.iovation.com/ffiec

If you work in the information security industry, complex device identification is nothing new. While the FFIEC recommends complex identification, you should really be doing something more. The truly forward-thinking have already moved on and are successfully leveraging the benefits of Device Reputation and shared device intelligence.

Simple device identification was in place before the FFIEC mandated it. Now they have mandated complex device identification, but leading InfoSec professionals are already doing more to protect their retail or commercial banking customers, by using device reputation.

Robert Siciliano, personal security and identity theft expert contributor to iovation, discusses credit and debit card fraud on CNBC. Disclosures

Neighbor Gets 18 Years for Hacking Neighbor

Home security in the physical world is locks, cameras and a home security system. In the virtual world home security is protecting your homes wireless internet connection.

I’ve spoke many times of how hackers can invade your wireless internet and steal your identity by getting onto your computer. We’ve also touched on how pedophiles can hijack your wireless internet and download child porn which can get the FBIs attention resulting in a battery ram on your front door at 3 am.

In Minnesota prosecutors put away a “depraved criminal” for 18 years as a result of virtually torturing his neighbors via their Wi-Fi connection.

After a brief encounter with his new neighbors he began “a calculated campaign to terrorize his neighbors”.

Wired reports “He demonstrated by his conduct that he is a dangerous man. When he became angry at his neighbors, he vented his anger in a bizarre and calculated campaign of terror against them,” (.pdf) prosecutor Timothy Rank said in a court filing. “And he did not wage this campaign in the light of day, but rather used his computer hacking skills to strike at his victims while hiding in the shadows.”

It’s a pretty frightening story that should scare you into locking down your wireless internet.

When setting up a wireless router, there are two suggested security protocol options. Wi-Fi Protected Access (WPA and WPA2) which is a certification program that was created in response to several serious weaknesses researchers had found in the previous system, Wired Equivalent Privacy.

Robert Siciliano personal and home security specialist to Home Security Source discussing home security and identity theft on TBS Movie and a Makeover. Disclosures.


Rogue Locksmiths Pose Threat to Home Security

I’m a big fan of the trade and recommend everyone engage their local locksmith for a review of your hardware to determine if yours is adequate for your home security. Chances are at some point in your life you will need a locksmith in an emergency situation whether for your car, home or place of business.

But like any trade there are professionals and there are shysters. Locksmithing is worldwide, but your locksmith should be local, trusted and a member of the Associated Locksmiths of America, at least.

The Federal Trade Commission has issued an alert regarding shifty, shady, unlicensed scammy locksmiths.

“If you’ve ever locked yourself out of your car or home, you know what a hassle it can be. Your first thought is to get someone to help you out of your situation. If a family member or friend can’t deliver a spare set of keys, your next call might be to a local locksmith. But before you make that call, consider this: According to the Federal Trade Commission (FTC), the nation’s consumer protection agency, some locksmiths advertising in your local telephone book may not be local at all. They may not have professional training. What’s more, some of them may use intimidating tactics and overcharge you.”

Research local locksmiths before you need one, the same way you would a plumber, electrician, or other professional. Use your towns local newspaper or local directory opposed to the yellow pages. Scammers often use yellow pages opposed to local directories. Plug the number into your mobile phone now.

When ordering services get an estimate for everything and hold them to it. There shouldn’t be a big mystery to what work they will need to do.

Ask the locksmith for ID and expect the locksmith to ask you for identification, as well. A legitimate locksmith should confirm your identity and make sure you’re the property owner before doing any work.


Some locksmiths will work out of a car for quick or emergency jobs, but most will arrive in a service vehicle that is clearly marked with their company’s name.


Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse on Fox News Live. Disclosures


Flash Mob Attacks On The Rise

You’ve heard of “flash mobs” when a group of people suddenly get together in some form of public place for a performance of some sort generally in the name of fun. They are formed when someone posts something on Facebook or Twitter and text messages begin to go viral. All of a sudden a time and meeting place is confirmed and the party begins a short time later.

There is an example of a flash mob on one in a television commercial of a solo man dancing in what looks like Grand Central Station in NY and he gets the text too late that the flash mob moved to another location. Another fun example happend Cape Cod, not far from where I live around Independence Day when a number of musicians flash mobbed a supermarket in song. Here, it’s awesome!

But an unfortunate twist to flash mobs are ones that are born to be vicious and violent. There seems to be a trend happening in parts of the country that you need to be aware of. An example of a flash mob happened in Boston when a reported 1000 youths, many involved in gangs all gathered at or near a beach and many began fighting.

Just like home security, your personal security begins with situational awareness. Situational awareness is key to avoiding and removing yourself from a dangerous situation. The moment something seems wrong move to safety.

Always be aware of what is going on 100 feet around the perimeter of your body. When something seems wrong, it is wrong.

The moment your intuition senses danger, run. I’m a big fan of running, just like gazelles’ are big fans of running from lions.

Robert Siciliano personal and home security specialist to Home Security Source discussing ADT Pulse on Fox News. Disclosures

The Benefits of Multifactor Authentication

The Federal Financial Institutions Examination Council (FFIEC), a formal government interagency body empowered to prescribe uniform principles, standards, and report forms for the federal examination of financial institutions, recently issued a supplement to the 2005 document “Authentication in an Internet Banking Environment” effective January 2012. The FFIEC has acknowledged that cybercrime is increasing and financial institutions need to increase their security and that of their customers.

Specifically the FFIEC states: “Since virtually every authentication technique can be compromised, financial institutions should not rely solely on any single control for authorizing high risk transactions, but rather institute a system of layered security, as described herein.”

This means the simple “username/password” combination for accessing your online banking is ineffective. And that banks should “adjust their customer authentication controls as appropriate in response to new threats to customers’ online accounts” and “financial institutions should implement more robust controls as the risk level of the transaction increases.”

The FFIEC’s previous statement implies it is encouraging the use of dual customer authorization typically seen when using digital security devices including smartcards and password generating key fobs.

This is where multifactor authentication comes in. Multifactor is generally something the user knows like a password plus something the user has like a smart card and/or something the user is like a fingerprint. In its simplest form, it is when a website asks for a four digit credit card security code from a credit card, or if our bank requires us to add a second password for our account.

Some institutions offer or require a key fob that provides a changing second password (one-time password) in order to access accounts, or reply to a text message to approve a transaction. All of this extra security is good for you.

Like Mom used to say, “Broccoli: like it or not, it’s for your own good.”

These measures provide layers of protection, which allow you to enjoy the convenience of online services with minimal risk. The benefits of logging in online and adding an extra code is far more convenient than schlepping all the way to the bank in person.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

What Identity Theft Protection Is and Is Not

To all you security companies out there, listen up: “identity theft protection” has become an overused and abused marketing term, which is often used to sell a product or service that doesn’t actually protect users from identity theft. It’s like labeling food “natural” when we know it’s not “organic.” It’s incorrect at best and a lie at worst.

Every security company on the planet claims to protect identities. But a firewall is not identity theft protection. An encrypted thumb drive is not identity theft protection. Antivirus software is not identity theft protection. One could argue that phishing alerts count as identity theft protection, but not really. Do these tools protect your identity? Sort of.

A true identity theft protection service monitors your identity by checking your credit reports and scanning the Internet for your personal information. It looks out for your Social Security number, and if something goes wrong, an identity theft protection service has people who’ll work with you to resolve the problem.

I get an email every month confirming my identity’s health. This is what identity theft protection looks like:

“Dear Robert Siciliano,

No news is good news! Your credit reports from all three bureaus, Experian®, Equifax®, and TransUnion®, have been monitored daily for the past month. We’re pleased to let you know that there is no new activity reported. As a McAfee Identity Protection user, we’ll continue to monitor your credit report every day for your protection.

Remember, McAfee Identity Protection helps protect you from the financial loss and hassle associated with identity theft. Log in to your Protection Center and review your protection status any time. Just click here and enter the Username and Password you selected when you enrolled.

As always, you can get help from a dedicated Fraud Resolution agent if any suspicious activity should appear on any of your credit reports.

If you have any questions about McAfee Identity Protection, please call Customer Support at 1-866-622-3911.


McAfee, Inc.”

That’s what identity theft protection is. Don’t get me started!

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss identity theft on YouTube. (Disclosures)

5 Security Considerations for a Mobile Phone

Nielsen reports “We are just at the beginning of a new wireless era where smartphones will become the standard device consumers will use to connect to friends, the internet and the world at large. The share of smartphones as a proportion of overall device sales has increased 29% for phone purchasers in the last six months; and 45% of respondents indicated that their next device will be a smartphone.”

Mobile users have recently captured the attention of cyber criminals. The Department of Homeland Security and the STOP. THINK. CONNECT. program recommend the following tips to help you protect yourself and to help keep the web a safer place for everyone.

You can protect yourself from cyber criminals by following the same safety rules you follow on your computer when using your smartphone. These rules include:

Access the Internet over a secure network: Only browse the web through your service provider’s network (e.g., 3G) or a secure Wi-Fi network.

Be suspicious of unknown links or requests sent through email or text message: Do not click on unknown links or answer strange questions sent to your mobile device, regardless of who the sender appears to be.

Download only trusted applications: Download “apps” from trusted sources or marketplaces that have positive reviews and feedback.

Be vigilant about online security: Keep anti-virus and malware software up to date, use varying passwords, and never provide your personal or financial information without knowing who is asking and why they need it.

Don’t jailbreak an iPhone: Most of the infections that have plagued iPhone users occur when the phone is jailbroken. Jailbreaking is the process of removing the limitations imposed by Apple on devices running the iOS operating system. Jailbreaking allows users to gain full access (or root access) to the operating system, thereby unlocking all its features. Once jailbroken, iOS users are able to download additional applications, extensions and themes that are unavailable through the official Apple App Store.” Jailbroken phones are much more susceptible to viruses once users skirt Apples application vetting process that ensures virus free apps.

Robert Siciliano, personal security expert contributor to Just Ask Gemalto.

Medical Temp Arrested For Identity Theft

You’ve probably heard the phrase “a fox watching the henhouse.” Today, that applies to people on the inside of organizations who work in trusted positions, and who use those positions to steal client or employee information for their own personal gain.

As much as 70% of all identity theft is committed by individuals with inside access to organizations such as corporations, banks, or government agencies, or by someone who has an existing relationship with the victim. People with access to sensitive personal data are most likely to commit identity theft. For many, it’s just too easy not to.

In a doctor’s office in Stamford, Connecticut, police arrested a 42-year-old New York woman for using patients’ credit card numbers, which she accessed while working as a temporary hire. When patients paid by credit card, the temp would copy down the numbers and later make fraudulent charges.

An identity thief begins by acquiring a target’s personal identifying information, such as name, credit card number, Social Security number, birth date, home address, account information, etc. If the thief has access to a database, this information is typically there for the taking.

Many credit applications and online accounts request current and previous addresses. So the thief fills out the victim’s current address as “previous” and plugs in a new address, usually a P.O. box or the thief’s own address, where the new credit card or statement will be sent.

Protect yourself:

Currently, there is no way to prevent credit card fraud, or “account takeover.” Instead, check your statements diligently and refute unauthorized charges within 60 days, or two billing cycles. In most cases, your credit card company will quickly resolve the issue.

Protecting yourself from new account fraud begins with closely monitoring your credit files at each of the three major credit bureaus. However, you need to monitor your credit daily, which is nearly impossible on your own, and far from cost-effective. That’s where identity theft protection comes in.

To protect yourself from scams, consider subscribing to an identity theft protection service, which offers proactive identity surveillance, lost wallet protection, and alerts when suspicious activity is detected on your accounts. For additional tips, please visit CounterIdentityTheft.com.

Robert Siciliano is a McAfee consultant and identity theft expert. See him discuss an identity theft pandemic on CNBC. (Disclosures)